Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Low-Impact Disinformation Campaigns Based in Russia, China, Iran, Israel Rashmi Ramesh (rashmiramesh_) • May 31, 2024     OpenAI says it caught actors from China, Russia, Iran and Israel using its tools to create disinformation. (Image: Shutterstock) OpenAI said […]

La entrada OpenAI Disrupts AI-Deployed Influence Operations – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Security Information & Event Management (SIEM) , Security Operations SIEM Provider Focuses on Acquisitions, Partner Channels, European Union Compliance Michael Novinson (MichaelNovinson) • May 31, 2024     Mikkel Drucker, CEO, Logpoint (Image: Logpoint) European SIEM provider Logpoint tapped the former chief executive of experience management firm Netigate as its […]

La entrada New Logpoint CEO Mikkel Drucker Seeks Growth Via M&A, MSSPs – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Fraud Management & Cybercrime , Healthcare , Industry Specific Asks Agencies Not to ‘Scapegoat’ Firm’s CISO, But to Hold CEO and Board Accountable Marianne Kolbasuk McGee (HealthInfoSec) • May 31, 2024     Sen. Ron Wyden, D-Ore. (Image: U.S. Congress) U.S. Sen. Ron Wyden, D-Ore., is urging the U.S. Securities […]

La entrada Senator Urges FTC, SEC to Investigate UHG’s Cyberattack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Cybercrime , Finance & Banking , Fraud Management & Cybercrime ShinyHunters Advertises Data Set of ’30 Million Customers’ for $2 Million David Perera (@daveperera) • May 31, 2024     Santander disclosed earlier this month a breach of a database hosted by a third party provider. (Image: Shutterstock) A hacker […]

La entrada Hacker Sells Apparent Santander Bank Customer Data – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Live Nation Entertainment has confirmed what everyone has been speculating on for the last week: Ticketmaster has suffered a data breach.

In a filing with the SEC, Live Nation said on May 20th it identified “unauthorized activity within a third-party cloud database environment containing Company data (primarily from its Ticketmaster L.L.C. subsidiary)” and launched an investigation.

The third party it refers to is likely Snowflake, a cloud company used by thousands of companies to store, manage, and analyze large volumes of data. Yesterday, May 31st, Snowflake said it had “recently observed and are investigating an increase in cyber threat activity” targeting some of its customers’ accounts. It didn’t mention which customers.

In the SEC filing, Live Nation also said:

On May 27, 2024, a criminal threat actor offered what it alleged to be Company user data for sale via the dark web. We are working to mitigate risk to our users and the Company, and have notified and are cooperating with law enforcement. As appropriate, we are also notifying regulatory authorities and users with respect to unauthorized access to personal information.

The user data likely refers to the sales ad for 560 million customers’ data that was posted online earlier this week by a group calling themselves ShinyHunters. The data was advertised for $500,000 and says it includes customer names, addresses, emails, credit card details, order information, and more.

Bleeping Computer says it spoke to ShinyHunters who said they already had interested buyers, and believed one of the buyers that approached them was Ticketmaster itself.

Ticketmaster says it has begun notifying its users of the breach. We are likely to hear more in the coming days, and will update you as we do.

For now, Ticketmaster users should keep an eye on their credit and bank accounts for an unauthorized transactions and follow our general data breach tips below.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Scan for your exposed personal data

While the Ticketmaster data is yet to be published in full, it’s likely you’ve had other personal information exposed online in previous data breaches. You can check what personal information of yours has been exposed with our Digital Footprint portal. Just enter your email address (it’s best to submit the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report.

The banking industry is one of the main pillars of any nation and they have been an integral part of the critical infrastructure. The government and private banks in the Middle East, Turkey, and Africa (META) region have also gone through several transformations, and with the advancement of AI, these financial institutions have adopted artificial intelligence to streamline the banking experience for the common citizens while also ensuring robust cybersecurity measures.    These banks offer a wide range of services beyond traditional banking, including investment banking, insurance, and asset management. As the financial landscape becomes increasingly complex, meta-banks are turning to artificial intelligence (AI) to streamline operations, enhance customer experiences, and mitigate risks.   The Cyber Express explores the AI revolution taking place in META  banks across the region and its benefits, challenges, and prospects of this transformative technology. 

The AI Revolution in META Banks 

The advent of AI has pushed conventional banking into a new era of endless possibilities. With its ability to process vast amounts of data and perform complex tasks with speed and accuracy, AI has become a game-changer in the financial industry.   META banks are leveraging AI algorithms and machine learning techniques to automate routine processes, analyze customer behavior, and make data-driven decisions. By harnessing the power of AI, these banks can gain a competitive edge by offering personalized products and services, reducing operational costs, and improving overall efficiency.  AI is revolutionizing various aspects of metabanking, from customer service to risk management. Chatbots, powered by AI, have become the face of customer interactions, providing round-the-clock assistance and resolving queries in real time.   These virtual assistants not only enhance customer satisfaction but also free up human resources to focus on more complex tasks. Additionally, AI-powered predictive analytics enable banks in the META region to identify patterns and trends in customer behavior, helping them tailor their offerings to meet individual needs. Moreover, AI algorithms are proving invaluable in detecting fraudulent activities, enhancing compliance, and minimizing financial risks.

Benefits of Artificial Intelligence-led Banking in the META Region

The benefits of AI in banking are manifold. Firstly, AI enables these banks to improve operational efficiency by automating repetitive tasks and reducing human error. This not only saves time but also lowers costs, allowing banks to allocate resources more effectively. By leveraging AI-powered analytics, META banks can gain valuable insights into customer preferences, enabling them to offer personalized products and services. This not only enhances customer satisfaction but also fosters loyalty and drives revenue growth. Furthermore, AI enhances risk management capabilities in META banks. With AI algorithms constantly monitoring transactions and analyzing patterns, potential fraudulent activities can be detected and flagged in real time.   This not only protects the interests of customers but also safeguards the reputation of META banks. AI-powered cybersecurity is a key component of this risk management strategy. By utilizing AI to identify and counter cyber threats, banks in the Middle East, Turkey, and Africa can ensure the security of their systems and protect sensitive customer data from unauthorized access. 

Implementing Artificial Intelligence in META Banks 

Implementing AI in the banking sector requires careful planning and strategic execution. The first step is to identify the areas where AI can bring the most value. This could include customer service, risk management, compliance, or data analytics. Once the areas are identified, META banks need to invest in the right AI technologies and infrastructure. This includes acquiring AI software, hardware, and the necessary IT resources to support AI implementation.  Data plays a crucial role in the success of AI implementation. Banks in the META region need to ensure that they have access to high-quality, structured data that can be used to train AI algorithms. This may require data integration and consolidation efforts across different systems and departments within the bank. Additionally, both private and government banks need to establish governance frameworks and protocols to ensure the ethical and responsible use of AI. This includes addressing issues such as bias, transparency, and accountability.  Cybersecurity is a top concern for financial institutions, given the sensitive nature of the data they handle. AI is proving to be a powerful tool in combating cyber threats and protecting customer information. AI-powered cybersecurity systems can analyze vast amounts of data in real time, detecting anomalies and identifying potential threats. These systems can learn from past attacks and adapt their defenses accordingly, making them more effective against cybercrime actors.   AI algorithms can detect patterns and behaviors that may indicate a cyber attack, such as unusual login attempts or unauthorized access to customer accounts. By continuously monitoring network traffic and user behavior, AI-powered cybersecurity systems can swiftly respond to potential threats, mitigating the risk of data breaches. Furthermore, AI can assist in fraud detection by identifying suspicious transactions or activities that deviate from normal customer behavior. 

Challenges and Risks of AI in META Banks 

While the benefits of AI in META banks are undeniable, some challenges and risks need to be addressed. One of the major challenges is the availability of quality data. AI algorithms rely on large volumes of accurate and relevant data to make accurate predictions and decisions. META banks need to ensure that their data is clean, well-structured, and easily accessible to maximize the effectiveness of AI. This may require investments in data management and data governance processes.  Another challenge is the ethical use of AI. As AI becomes more integrated into banking operations, concerns arise regarding bias, transparency, and privacy. AI algorithms can inadvertently perpetuate biases present in the data they are trained on, leading to unfair or discriminatory outcomes. META banks must establish ethical frameworks and guidelines to ensure that AI is used responsibly and in a manner that respects individual privacy and rights.  The future of AI in META banks is promising. As AI technologies continue to advance, banks in the META region will be able to further enhance their operations and customer experiences. One area with immense potential is predictive analytics. By leveraging AI algorithms, META banks can predict customer behavior, market trends, and economic indicators, enabling them to make informed business decisions and stay ahead of the competition.  Additionally, the rise of big data and the Internet of Things (IoT) will create new opportunities for AI in the META region. The ability to collect and analyze vast amounts of data from diverse sources will enable banks in the META region to gain deeper insights into customer preferences, market dynamics, and risk factors. AI-powered chatbots will become even more sophisticated, providing personalized recommendations and engaging in natural language conversations with customers. 

Conclusion

The AI revolution is reshaping the banking sector in the Middle East, Turkey, and Africa. By embracing AI technologies, banks in the META region can unlock a multitude of benefits, including improved operational efficiency, enhanced risk management, and personalized customer experiences.   However, the successful implementation of AI requires careful planning, investment in infrastructure, and the ethical use of data. Despite the challenges and risks, the future of AI in META banks is bright, with the potential to revolutionize the way financial services are delivered and experienced. 

This week on TCE Cyberwatch, we are looking at legal controversies that are now on the rise due to the introduction of new features in AI. Famous actors like Scarlett Johansson face the burnt of it, along with Governments who are getting together to discuss the impact of AI on important world events. Staying informed to know what is going on behind the scenes of things you may be using, watching, or partaking in is important. Vulnerabilities and breaches are constantly being found and occurring. In very common and large companies like Medisecure, it is important to ensure you know if something like that can be on its way to affect you. So, to stay updated, The Cyber Express has compiled the weekly happening in the cybersecurity world in the form of TCE Cyberwatch. Read on to find out what are they:

TCE Cyberwatch: A Weekly Round-Up

AI's Dark Side: Experts Warn of Cybercrime, Election Attacks at Congressional Hearing

At a U.S. congressional hearing on AI misuse, data security and privacy experts discussed AI’s diverse threats, including cybercrime, election interference, and nation-state attacks. The House Committee on Homeland Security announced their aim of incorporating AI into upcoming legislation, and panelists emphasized that AI has empowered cybercriminals, making it crucial to integrate AI into cybersecurity measures. The spokesperson from Palo Alto Networks stressed the need for secure AI development and oversight. Concerns about election security were raised, and the Centre for Democracy and Technology proposed guidelines for responsible AI use, emphasizing proper training data, independent testing, and human rights safeguards. They warned against the hasty deployment of AI, advocating for a careful approach to ensure long-term benefits. Read More

Courtroom Recording Software Hit by Supply Chain Attack, Thousands Potentially Affected

Hackers compromised Justice AV Solutions (JAVS), a widely-used courtroom recording platform, by inserting a backdoor in a software update. JAVS software, installed in over 10,000 locations globally, was affected when hackers replaced the Viewer 8.3.7 software with a compromised file. JAVS responded by removing the affected version from its website, resetting passwords, and auditing its systems. The company assured that current files are malware-free and urged users to verify their software is digitally signed. Cybersecurity firm Rapid7 identified the backdoor as linked to the GateDoor and Rustdoor malware families, often used by the ShadowSyndicate cybercrime group. They advised users to reimage affected systems and reset credentials, as merely uninstalling the software is insufficient. Read More

Australian Regulator Sues Optus Over Massive Data Breach of 10 Million Customers

Australia's media regulator is suing telecom carrier Optus, owned by Singapore Telecommunications, over a massive data breach in September 2022. The breach exposed the personal information of 10 million Australians, including addresses, passports, and phone numbers. Following the breach, Prime Minister Anthony Albanese advocated for stricter privacy laws to ensure companies notify banks quickly in such incidents. The Australian Communications and Media Authority claims Optus failed to protect customer data from unauthorized access. Optus, which has been cooperating with authorities, stated it cannot yet determine potential penalties and plans to defend itself in court. The company has been under scrutiny recently due to a separate 12-hour network blackout affecting over 10 million customers. Read More

Critical WordPress Vulnerabilities: Update Plugins Immediately!

The Cyber Security Agency of Singapore has issued an urgent alert regarding critical vulnerabilities in several WordPress plugins. These vulnerabilities pose significant security risks, potentially allowing unauthorized access and exploitation. To address these issues, security updates have been released. SingCERT has identified nine critical vulnerabilities, including those allowing arbitrary file uploads and SQL injection, and has provided mitigation strategies. Users are strongly advised to update to the latest plugin versions immediately. Additional measures, such as virtual patching, can offer temporary protection. Regular updates and monitoring are essential for safeguarding WordPress websites against potential threats. For more details, users should consult the respective plugin documentation and developer updates. Read More

Ransomware Attack on Spanish Bioenergy Plant Highlights ICS Vulnerabilities

A ransomware attack by the Ransomhub group on the Industrial Control Systems (ICS) of a Spanish bioenergy plant underscores the risks of cyberattacks on critical infrastructure. The attack targeted the SCADA system, crucial for managing the plant's operations, encrypting over 400 GB of data and disrupting essential functions. Organizations must fortify defenses by implementing robust network segmentation, regular software updates, secure remote access, and diligent monitoring. Developing and testing incident response plans are essential to minimize the impact of such attacks. This incident highlights the need for heightened vigilance and proactive measures to protect critical infrastructure from cyber threats. Read More 

Islamabad's Safe City Project Exposed: Hack Highlights Security Failures

Islamabad’s Safe City Authority faced a severe disruption after hackers breached its online system, forcing an immediate shutdown. The project, launched with Chinese financial support, aimed to enhance security with advanced technology, including CCTV cameras and facial recognition. The hack exposed vulnerabilities, as hackers accessed sensitive databases and compromised crucial systems like criminal records and human resources. Despite a firewall alert, the lack of backup servers necessitated a complete shutdown. The breach affected key services, revealing weak security practices, such as simple login credentials and outdated software. The isolated camera management system remained secure. Police confirmed the breach and have taken steps to improve security. The project, controversial due to transparency issues and cost overruns, has faced criticism for not achieving its security goals. Financial difficulties and operational setbacks further marred its effectiveness, and the recent hack has intensified scrutiny of the initiative. Read More 

Massive Data Breach at Pharma Giant Cencora Exposes Millions

The Cencora data breach has impacted more than a dozen pharmaceutical companies, including Novartis and GlaxoSmithKline, leaking personal and health data of hundreds of thousands. Cencora, formerly AmerisourceBergen, and its Lash Group affiliate revealed the breach to the SEC, indicating data exfiltration from its systems. With operations in 50 countries and significant revenue, Cencora did not initially detail the breach's scope but later notifications identified 15 affected companies. At least 542,000 individuals' data, including names, addresses, birthdates, health diagnoses, and prescriptions, were compromised. Despite the breach, no misuse or public disclosure of the data has been reported. The company has offered affected individuals credit monitoring and identity theft protection services and is enhancing its security measures. This incident highlights ongoing vulnerabilities in the healthcare sector, which has seen several recent cyberattacks. Read More

MediSecure Ransomware Breach: 6.5 TB of Patient Data Listed for Sale on Dark Web

MediSecure, an Australian digital prescription service provider, confirmed that data stolen in a recent ransomware attack is for sale on the dark web. The breach, originating from a third-party provider, exposed personal and health information of patients and healthcare providers up to November 2023. The hacker, Ansgar, began selling the data for $50,000 on May 23, claiming to possess 6.5 terabytes of sensitive information. MediSecure alerted the public, urging them not to seek out the stolen data, which includes names, addresses, emails, phone numbers, insurance numbers, prescriptions, and login details. Australia's National Cyber Security Coordinator and police are investigating. MediSecure emphasized that the breach does not affect the Australian healthcare system's ongoing operations or access to medication. They are working to notify affected individuals and assure them of measures to protect against further risks. Read More

OpenAI Backtracks on Voice Assistant After Scarlett Johansson Raises Concerns

OpenAI's new voice assistant debuts with a voice similar to actress Scarlett Johansson's, who expresses shock and anger, as she had previously declined an offer to voice ChatGPT, especially given her role in the 2013 film *Her*. OpenAI's CEO, Sam Altman, seemingly acknowledged this connection in a social media post. Despite OpenAI's claim that the voice belonged to another actress, Johansson's concerns highlight broader tensions between AI and the creative industries. OpenAI has since dropped the controversial voice and is working on tools for content creators to manage their work's use in AI training. The incident underscores the need for stronger legal protections, like the No Fakes Act, to safeguard personal likenesses. Legal experts believe Johansson might have grounds for a lawsuit, referencing similar past cases like Bette Midler's against Ford. As AI technology advances, such legal disputes are expected to increase. Read More

To Wrap Up

Here at TCE, we hope these weekly roundups continue to keep you informed about the latest in the cybersecurity industry. Our coverage not only includes cyberattacks but also developments in the legal aspects of AI, which are becoming increasingly important as technology evolves. We aim to keep you updated on new developments in the industry, including impacts on companies and the general public, such as recent events involving Medicare. Our goal is to ensure everyone stays safe and knows the appropriate responses if affected by these situations.

Senator Ron Wyden wants the FTC and SEC to investigate the ransomware attack on UnitedHealth's Change subsidiary to see if there was criminal negligence by the CEO or board.

The post Senator Calls for FTC, SEC Probe Into UnitedHealth’s ‘Negligence’ in Breach appeared first on Security Boulevard.

The U.S. National Institute of Standards and Technology (NIST) has taken a big step to address the growing backlog of unprocessed Common Vulnerabilities and Exposures (CVEs) in the National Vulnerability Database (NVD). The institute has hired an external contractor to contribute additional processing support in its operations. The contractor hasn't been named, but NIST said it expects that the move will allow it to return to normal processing rates within the next few months.

Clearing the National Vulnerability Database Backlog

NIST is responsible for managing entries in the NVD. After being overwhelmed with the volume of entries amid a growing backlog of CVEs that have accumulated since February, the institute has awarded an external party with a contract to aid in its processing efforts. "We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months," the agency stated. To further alleviate the backlog, the NIST is also working closely with CISA, the Cybersecurity and Infrastructure Security Agency, to improve its overall operations and processes. "We anticipate that this backlog will be cleared by the end of the fiscal year," the NIST stated. In its status update, NIST referenced an earlier statement the agency made that it was exploring various means to address the increasing volume of vulnerabilities through the use of modernized technology and improvements to its processes. [caption id="attachment_73938" align="alignnone" width="2332"] Source: NIST NVD Status Updates[/caption] "Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance," the institute said. NIST reaffirmed its commitment to maintaining and modernizing the NVD, stating, "NIST is fully committed to preserving and updating this vital national resource, which is crucial for building trust in information technology and fostering innovation."

CISA's 'Vulnrichment' Initiative

In response to the growing NVD backlog at NIST, CISA had launched its own initiative called "Vulnrichment" to help enrich the public CVE records. CISA's Vulnrichment project is designed to complement the work of the originating CNA (Common Vulnerabilities and Exposures Numbering Authority) and reduce the burden on NIST's analysts. CISA said it would use an SSVC decision tree model to categorize vulnerabilities. The agency will consider factors like exploitation status, technical impact, impact on mission-essential functions, public well-being, and whether the exploitation is automatable. CISA welcomes feedback from the IT cybersecurity community on this effort. By providing enriched CVE data, CISA aims to improve the overall quality and usefulness of the NVD for cybersecurity professionals. "For those CVEs that do not already have these fields populated by the originating CNA, CISA will populate the associated ADP container with those values when there is enough supporting evidence to do so," the agency explained. As NIST and CISA work to address the current challenges, they have pledged to keep the community informed of their progress as well as on future modernization plans. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A threat actor has reportedly taken responsibility for recent data breaches involving Ticketmaster and Santander Bank, claiming they stole data after hacking an employee account at Snowflake, a third-party cloud storage company. Snowflake, however, has shot down these breach claims, attributing the breaches to poor credential hygiene in customer accounts instead.

"To date, we do not believe this activity is caused by any vulnerability, misconfiguration, or malicious activity within the Snowflake product," the cloud storage giant said in a statement today.

Snowflake's AI Data Cloud platform serves more than 9,000 customers, including major companies such as Adobe, AT&T, Capital One, DoorDash, HP, JetBlue, Mastercard, Micron, NBC Universal, Nielsen, Novartis, Okta, PepsiCo, Siemens, US Foods, Western Union, and Yamaha, among others.

Alleged Snowflake Breach Details

According to cybersecurity firm Hudson Rock, the threat actor claims to have accessed data from additional high-profile companies using Snowflake's services, including Anheuser-Busch, State Farm, Mitsubishi, Progressive, Neiman Marcus, Allstate, and Advance Auto Parts. The method described involved bypassing Okta's authentication by using stolen credentials to log into a Snowflake employee's ServiceNow account. From there, they allegedly generated session tokens to extract data from Snowflake customers. Hudson Rock reported that the threat actor claimed the breach affected up to 400 companies, showing evidence of access to over 2,000 customer instances related to Snowflake's Europe servers.

Extortion Attempt and Malware Involvement

The threat actor claimed to have attempted to extort Snowflake for $20 million to buy back the stolen data, but Snowflake did not respond. Hudson Rock noted that a Snowflake employee was infected with a Lumma-type Infostealer in October, which stole their corporate credentials. The malware infection was supported by screenshots shared by the threat actor.

Snowflake Responds

Snowflake has confirmed breaches of customer accounts but denied that any vulnerability or misconfiguration in its products was exploited. The cloud storage company stated that they observed unauthorized access to certain customer accounts , which they said is likely unrelated to any flaws in Snowflake's infrastructure.

"We believe this is the result of ongoing industry-wide, identity-based attacks with the intent to obtain customer data. Research indicates that these types of attacks are performed with our customers’ user credentials that were exposed through unrelated cyber threat activity.

Snowflake has notified the "limited" number of customers about these attacks and urged them to enhance their account security by enabling multi-factor authentication (MFA).

Tools and Indicators of Compromise

The company published a security bulletin containing Indicators of Compromise (IoCs), investigative queries, and guidance for securing affected accounts. One IoC indicates that the threat actors used a custom tool named "RapeFlake" to exfiltrate data from Snowflake's databases. Another showed the use of "DBeaver Ultimate" data management tools, with logs indicating connections from the "DBeaver_DBeaverUltimate" user agent. Snowflake also shared query to identify access from suspected clients and how to disable a suspected user. But this might not be enough. A very important step here is: "If you have enabled the ALLOW_ID_TOKEN parameter on your account, the user must be left in the disabled state for 6 hours to fully invalidate any possible unauthorized access via this ID token feature.  If the user is re-enabled before this time the attacker may be able to generate a new session using an existing ID token, even after the password has been reset or MFA has been enabled." While a threat actor claims to have breached Snowflake and accessed data from numerous high-profile companies, Snowflake maintains that these breaches resulted from compromised customer accounts rather than any inherent vulnerabilities in their systems. Snowflake continues to investigate the incidents and has taken steps to improve customer account security.

Carrier has issued a serious product security advisory confirming the existence of several vulnerabilities in its LenelS2 NetBox access control and event monitoring platform. These vulnerabilities expose the monitoring system to potential compromise, such as remote code execution. The reported vulnerabilities are significant, as NetBox is often used to guard entries at critical facilities such as government-controlled sites and major corporations.

Multiple Vulnerabilities in Carrier's LenelS2 NetBox

Three vulnerabilities were identified in Carrier's product security advisory for NetBox. The most critical (CVE-2024-2420) of these vulnerabilities could potentially enable an attacker to circumvent authentication requirements and obtain elevated permissions, presenting a serious risk to enterprises which deploy the tool. [caption id="attachment_73894" align="alignnone" width="1478"] Source: Carrier Product Security Advisory[/caption] Successful compromise could allow an attacker to install programs, view, edit, modify data, delete data from the platform or create new user accounts with full privileges. However, this depends on the access level of accounts that had been compromised in the event of an attack. The impact of a potential attack could be lower on systems configured with low level of user access. The vulnerabilities affect all LenelS2 NetBox versions prior to 5.6.2. The identified vulnerabilities are as follows:

• CVE-2024-2420 (CVSS v3.1 Base Score 9.8, Critical): A vulnerability involving a hard-coded password in the system that could permit an attacker to bypass authentication requirements.
• CVE-2024-2421 (CVSS v3.1 Base Score 9.1, Critical): An unauthenticated remote code execution vulnerability that could permit an attacker with elevated permissions to run malicious commands
• CVE-2024-2422 (CVSS v3.1 Base Score 8.8, High): An authenticated remote code execution vulnerability that could permit an attacker to execute malicious commands.

The Center of Internet Security stated that these vulnerabilities pose higher risks to large and medium government or business entities, while posing lower risks to small businesses and individual home owners. [caption id="attachment_73896" align="alignnone" width="1128"] Source: cisecurity.org[/caption]

Vulnerability Remediation

Carrier has attempted to address these vulnerabilities in its latest release of NetBox version 5.6.2. Carrier has advised customers to immediately upgrade to the latest release version by reaching out to their authorized NetBox installer. As mitigation, Carrier also advised customers to follow the recommended deployment guidelines, which are detailed in its NetBox hardening guide accessible through NetBox's built-in help menu. The Center of Internet Security has advised customers to take additional measures such as applying appropriate updates to NetBox systems, applying the principle of least privilege to user accounts, rigorous scanning of vulnerabilities and isolating critical systems, functions, or resources. The lack of basic security safeguards along with poor code practices such as the presence of hard-coded authentication tokens and improper input sanitization raises concerns about the usage of NetBox to guard physical access to important business and government areas or critical infrastructure. While there are no confirmed reports of the NetBox vulnerabilities being exploited in the wild, the severity of these vulnerabilities mark them as an important security consideration as countless organizations could be at risk of devastating attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A new Microsoft Windows feature dubbed Recall planned for Copilot+ PCs has been called a security and privacy nightmare by cybersecurity researchers and privacy advocates. Copilot Recall will be enabled by default and will capture frequent screenshots, or “snapshots,” of a user’s activity and store them in a local database tied to the user account. The potential for exposure of personal and sensitive data through the new feature has alarmed security and privacy advocates and even sparked a UK inquiry into the issue.

Copilot Recall Privacy and Security Claims Challenged

In a long Mastodon thread on the new feature, Windows security researcher Kevin Beaumont wrote, “I’m not being hyperbolic when I say this is the dumbest cybersecurity move in a decade. Good luck to my parents safely using their PC.” In a blog post on Recall security and privacy, Microsoft said that processing and storage are done only on the local device and encrypted, but even Microsoft’s own explanations raise concerns: “Note that Recall does not perform content moderation. It will not hide information such as passwords or financial account numbers. That data may be in snapshots that are stored on your device, especially when sites do not follow standard internet protocols like cloaking password entry.” Security and privacy advocates take issue with assertions that the data is stored securely on the local device. If someone has a user’s password or if a court orders that data be turned over for legal or law enforcement purposes, the amount of data exposed could be much greater with Recall than would otherwise be exposed. Domestic abuse situations could be worsened. And hackers, malware and infostealers will have access to vastly more data than they would without Recall. Beaumont said the screenshots are stored in a SQLite database, “and you can access it as the user including programmatically. It 100% does not need physical access and can be stolen.” He posted a video (republished below) he said was of two Microsoft engineers gaining access to the Recall database folder with apparent ease, “with SQLite database right there.” [videopress izzNn3K5]

Does Recall Have Cloud Hooks?

Beaumont also questioned Microsoft’s assertion that all this is done locally. “So the code underpinning Copilot+ Recall includes a whole bunch of Azure AI backend code, which has ended up in the Windows OS,” he wrote on Mastodon.  “It also has a ton of API hooks for user activity monitoring. “It opens a lot of attack surface. ... They really went all in with this and it will have profound negative implications for the safety of people who use Microsoft Windows.”

Data May Not Be Completely Deleted

And sensitive data deleted by users will still be saved in Recall screenshots. “There's no feature to delete screenshots of things you delete while using your PC,” Beaumont said. “You would have to remember to go and purge screenshots that Recall makes every few seconds. If you or a friend use disappearing messages in WhatsApp, Signal etc, it is recorded regardless.” One commenter said Copilot Recall seems to raise compliance issues too, in part by creating additional unnecessary data that could survive deletion requests. “[T]his comprehensively fails PCI and GDPR immediately and the SOC2 controls list ain't looking so good either,” the commenter said. Leslie Carhart, Director of Incident Response at Dragos, replied that “the outrage and disbelief are warranted.” A second commenter noted, “GDPR has a very simple concept: Data Minimization. Quite simply, only store data that you actually have a legitimate, legal purpose for; and only for as long as necessary. Right there, this fails in spectacular fashion on both counts. It's going to store vast amounts of data for no specific purpose, potentially for far longer than any reasonable use of that data.” It remains to be seen if Microsoft will make any modifications to Recall to quell concerns before it officially ships. If not, security and privacy experts may find themselves busier than ever.

Researchers have uncovered new attacks by a North Korean advanced persistent threat actor – Andariel APT group – targeting Korean corporations and other organizations. The victims include educational institutions and companies in the manufacturing and construction sectors. The attackers employed keyloggers, infostealers, and proxy tools alongside backdoors to control and extract data from compromised systems, said researchers at the AhnLab Security Intelligence Center (ASEC). The malware used in these attacks includes strains previously attributed to the Andariel APT group, including the backdoor "Nestdoor." Additional tools include web shells and proxy tools linked to the North Korean Lazarus group that now contain modifications compared to earlier versions. Researchers first observed a confirmed attack case where a malware was distributed via a web server running an outdated 2013 version of Apache Tomcat, which is vulnerable to various attacks. "The threat actor used the web server to install backdoors, proxy tools, etc.," the researchers said. [caption id="attachment_73866" align="aligncenter" width="1000"] Apache Tomcat compromised to spread malware by Andariel APT. (Credit: Ahnlab)[/caption]

Malware Used by Andariel APT in this Campaign

The first of the two malware strains used in the latest campaign was Nestdoor, a remote access trojan (RAT) that has been active since May 2022. This RAT can execute commands from the threat actor to control infected systems. Nestdoor has been found in numerous Andariel attacks, including those exploiting the VMware Horizon product’s Log4Shell vulnerability (CVE-2021-44228). The malware is developed in C++ and features capabilities such as file upload/download, reverse shell, command execution, keylogging, clipboard logging, and proxy functionalities. A specific case in 2022 involved Nestdoor being distributed alongside TigerRAT using the same command and control (C&C) server. Another incident in early 2024 saw Nestdoor disguised as an OpenVPN installer. This version maintained persistence via the Task Scheduler and communicated with a C&C server. The Andariel APT has been developing new malware strains in the Go language for each campaign. Dora RAT, a recent discovery is one such malware strain. The backdoor malware supports reverse shell and file transfer operations and exists in two forms: a standalone executable and an injected process within "explorer.exe." The latter variant uses an executable in WinRAR SFX format, which includes an injector malware. The Dora RAT has been signed with a valid certificate from a UK software developer in an attempt to make it look legitimate.

Additional Malware Strains

• Keylogger/Cliplogger: Performs basic functions like logging keystrokes and clipboard contents, stored in the “%TEMP%” directory.
• Stealer: It is designed to exfiltrate files from the system, potentially handling large quantities of data.
• Proxy: Includes both custom-created proxy tools and open-source Socks5 proxy tools. Some proxies are similar to those used by the Lazarus group in past attacks.

The Andariel group, part of the larger Lazarus umbrella, has shifted from targeting national security information to also pursuing financial gains. Last month, the South Korean National Police Agency revealed a targeted campaign of the Andariel APT aimed at stealing the country’s defense technology. Andariel APT hackers gained access to defense industry data by compromising an employee account, which was used in maintaining servers of a defense industry partner. The hackers injected malicious code into the partner’s servers around October 2022, and extracted stored defense technology data. This breach exploited a loophole in how employees used their personal and professional email accounts for official system access. Andariel APT's initial attack methodology primarily includes spear phishing, watering hole attacks, and exploiting software vulnerabilities. Users should remain cautious with email attachments from unknown sources and executable files from websites. Security administrators are advised to keep software patched and updated, including operating systems and browsers, to mitigate the risk of malware infections, the researchers recommended.

IoCs to Watch for Signs of Andariel APT Attacks

IoCs to monitor for attacks from Andariel APT group include: MD5s – 7416ea48102e2715c87edd49ddbd1526: Nestdoor – Recent attack case (nest.exe) – a2aefb7ab6c644aa8eeb482e27b2dbc4: Nestdoor – TigerRAT attack case (psfile.exe) – e7fd7f48fbf5635a04e302af50dfb651: Nestdoor – OpenVPN attack case (openvpnsvc.exe) – 33b2b5b7c830c34c688cf6ced287e5be: Nestdoor launcher (FirewallAPI.dll) – 4bc571925a80d4ae4aab1e8900bf753c: Dora RAT dropper (spsvc.exe) – 951e9fcd048b919516693b25c13a9ef2: Dora RAT dropper (emaupdate.exe) – fee610058c417b6c4b3054935b7e2730: Dora RAT injector (version.dll) – afc5a07d6e438880cea63920277ed270: Dora RAT injector (version.dll) – d92a317ef4d60dc491082a2fe6eb7a70: Dora RAT (emaupdate.exe) – 5df3c3e1f423f1cce5bf75f067d1d05c: Dora RAT (msload.exe) – 094f9a757c6dbd6030bc6dae3f8feab3: Dora RAT (emagent.exe) – 468c369893d6fc6614d24ea89e149e80: Keylogger/Cliplogger (conhosts.exe) – 5e00df548f2dcf7a808f1337f443f3d9: Stealer (msload.exe) C&Cs – 45.58.159[.]237:443: Nestdoor – Recent attack case – 4.246.149[.]227:1443: Nestdoor – TigerRAT attack case – 209.127.19[.]223:443: Nestdoor – OpenVPN attack case – kmobile.bestunif[.]com:443 – Dora RAT – 206.72.205[.]117:443 – Dora RAT

In “Living off the Land attacks,” adversaries use USB devices to infiltrate industrial control systems. Cyberthreats from silent residency attacks put critical infrastructure facilities at risk.

The post A Major Industrial Cybersecurity Threat: Living off the Land Attacks appeared first on Security Boulevard.

Daft name, serious risk: Kit from ActionTec and Sagemcom remotely ruined and required replacement.

The post ‘Pumpkin Eclipse’ — 600,000+ Rural ISP Routers Bricked Beyond Repair appeared first on Security Boulevard.

On May 29, 2024, the US Department of Justice (DOJ) announced it had dismantled what was likely the world’s largest botnet ever. This botnet, called “911 S5,” infected systems at over 19 million IP addresses across more than 190 countries. The main sources of income for the operators, who stole a billions of dollars across a decade, came from committing pandemic and unemployment fraud, and by selling access to child exploitation materials.

The botnet operator generated millions of dollars by offering cybercriminals access to these infected IP addresses. As part of this operation, a Chinese national, YunHe Wang, was arrested. Wang is reportedly the proprietor of the popular service.

Of the infected Windows devices, 613,841 IP addresses were located in the United States. The DOJ also called the botnet a residential proxy service. Residential proxy networks allow someone in control to rent out a residential IP address which then can be used as a relay for their internet communications. This allows them to hide their true location behind the residential proxy. Cybercriminals used this service to engage in cyberattacks, large-scale fraud, child exploitation, harassment, bomb threats, and export violations.

To set up this botnet, Wang and his associates provided users with free, illegitimate VPN applications that were created to connect to the 911 S5 service. Unaware of the proxy backdoor, once users downloaded and installed these VPN applications, they unknowingly became part of the 911 S5 botnet.

Sometimes the VPN applications were bundled with games and other software and installed without user consent.

For this reason, the FBI has published a public service announcement (PSA) to help users find out if they have been affected by this botnet.

Users can start by going over this list of malicious VPN applications associated with the 911 S5 botnet:

• MaskVPN
• DewVPN
• PaladinVPN
• ProxyGate
• ShieldVPN
• ShineVPN

If you have one of these VPN applications installed, sometimes you can find an uninstaller located under the Start menu option of the VPN application. If present, you can use that uninstall option.

If the application doesn’t present you with an uninstall option, then follow the steps below to attempt to uninstall the application:

• Click on the Start menu (Windows button) and type “Add or remove programs” to bring up the “Add and Remove Programs” menu.
• Search for the name of the malicious VPN application.
• Once you find the application in the list, click on the application name, and select the “Uninstall” option.

Once you have uninstalled the application, you will want to make sure it’s no longer active. To do that, open the Windows Task manager. Press Control+Alt+Delete on the keyboard and select the “Task Manager” option or right-click on the Start menu (Windows button) and select the “Task Manager” option.

In Task Manager look under the “Process” tab for the following processes:

• MaskVPN (mask_svc.exe)
• DewVPN (dew_svc.exe)
• PaladinVPN (pldsvc.exe)
• ProxyGate (proxygate.exe, cloud.exe)
• ShieldVPN (shieldsvc.exe)
• ShineVPN (shsvc.exe)

If found, select the service related to one of the identified malicious software applications running in the process tab and select the option “End task” to attempt to stop the process from running.

Or, download Malwarebytes Premium (there is a free trial) and run a scan.

Whether you’re using the free or paid version of the app, you can manually run a scan to check for threats on your device. 

1. Open the app.
2. On the main dashboard, click the Scan button.
3. A progress page appears while the scan runs.
4. After the scan finishes, it displays the Threat scan summary.
   • If the scan detected no threats: Click Done.
   • If the scan detected threats on your device: Review the threats found on your computer. From here, you can manually quarantine threats by selecting a detection and clicking Quarantine.
5. Click View Report or View Scan Report to see a history of prior scans. After viewing the threat report, close the scanner window.

If neither of these options, including the Malwarebytes scan, resolve the problem, the FBI has more elaborate instructions. You can also contact the Malwarebytes Support team to assist you.

---

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

South Korean researchers have observed the malicious use of pirated copies and cracked activators of legitimate productivity and office utility programs such as Hangul Word Processor and Microsoft Office to disguise malicious programs. The malware maintains persistence by scheduling regular upgrades on affected systems, leading to consistent installation of newer strains of the malware multiple times every week.

Malicious Pirated Copies of Microsoft Office and Other Programs

Researchers from AhnLab discovered that attackers have been creating and distributing malicious copies of popular utility software. These copies were distributed through common file-sharing platforms and torrent websites. The operation takes advantage of users looking to obtain free copies of software without paying the required license fee. When downloaded and executed, the programs usually appear as convincing cracked installers or activators for programs such as Microsoft Office or the Hangul word processor. While the initial downloader was developed in .NET, the attackers appear to have moved to more obfuscated attack techniques. The malware retrieves its instructions for the next stage of its attack from Telegram or Mastodon channels operated by the attackers. These channels contain encrypted Base64 strings that lead to Google Drive or GitHub URLs that host the malicious payloads. These malicious payloads are downloaded and decrypted through the use of the legitimate 7-zip archive utility that is commonly present on systems and operates with low footprint. Researchers discovered that the decrypted payloads contained PowerShell instructions to load and execute additional malware components on the victim's system. The malware strains loaded on the infected systems include:

• OrcusRAT: A remote access trojan with extensive capabilities like keylogging, webcam access, and remote screen control.
• XMRig Cryptominer: Configured to stop mining when resource-intensive apps are running to avoid detection. Also kills competing miners and security products.
• 3Proxy: Injects itself into legitimate processes to open a backdoor proxy server.
• PureCrypter: Fetches and runs additional malicious payloads from attacker-controlled servers.
• AntiAV: Disrupts security products by repeatedly modifying their configuration files.

The commands include an updater that contains instructions to maintain persistence over the system through the use of the native Windows Task Scheduler present on the Windows operating system. C&C server addresses shared by the researchers also indicate that they have been disguised as a minecraft rpg server.

Continuous Reinfection and Distribution

The researchers said systems may remain infected even after the initial infection has been removed, due to the malware's ability to update itself as well as download additional malware payloads. They stated that the attackers had distributed new malware on affected systems multiple times each week to bypass file detection. The researchers said the number of systems that had been compromised in these attacks continued to increase as the registered task scheduler entries loaded additional malicious components on affected systems despite the removal of previous underlying malware. The researchers advised South Korean users to download software and programs from their official sources rather than file-sharing sites. Users who suspect that their systems may already have been infected should remove associated task scheduler entries to block the download of additional malware components, and update their antivirus software to the latest available versions. The researchers have additionally shared indicators of compromise, categories that have been detected as flagged in the attack, MD5 hashes of files used in the attack, associated C&C server addresses, and suspicious behaviors that have been observed during the attack. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Hawk Eye, a popular citizen-friendly crime reporting app of Telangana State Police in India, appears to have been hit by a massive data breach, a claim that sources have unofficially confirmed for The Cyber Express. The Hawk Eye app data breach was reportedly masterminded by a threat actor who goes by the name "Adm1nFr1end." The claim that the Hawk Eye app had been hacked emerged May 29 on the data leak site BreachForums. The threat actor claimed that they were revealing the stolen database, which consists of the Personally Identifiable Information (PII) of users, including the names, email addresses, phone numbers, physical addresses, IMEI numbers, and their location coordinates. To substantiate the data breach claim, the threat actor attached sample records, with the latest timestamp of May 2024, while disclosing that the database includes 130,000 SOS records, 70,000 incident reports, and 20,000 travel detail records (screenshot below).

Login Data Exposes Hawk Eye App Data Breach

The Hawk Eye App was launched by the Telangana Police in December 2014 for both Android and iPhone users as part of its initiative to become a citizen-friendly and responsive police force. Denizens were encouraged to use the app to report on a wide range of activities, including traffic violations, passing on information about criminals, violations by police, and crime against women, and also to pass on suggestions to the lawmen for improved policing and to credit the good work done by them. A key feature of the app is the SOS button for accessing help in case of emergencies. While logging into the App, users are required to share their personal details, including name, email ID, mobile number and password for registration. The app currently has a 4.4 rating on the Google Play Store, with more than 500,000 downloads on Android alone. [caption id="attachment_73712" align="alignnone" width="720"] Source: Hawk Eye App on Android[/caption]

Hawk Eye App Data Breach Samples

A few of the samples exposed by the threat actor revealed that one woman had filed a complaint on the Hawk Eye App to share that a man had initially promised to marry her and is now facing threats from him and his family. Alarmingly, the data leak revealed her name, mobile number, location, date, and time of complaint, potentially putting her at risk. In several other cases, citizens had filed complaints of traffic violations, and their data used initially to login to the App, including name, email address, and phone numbers, were revealed in the data breach. What is noteworthy about the above examples is that all these users had filed complaints only in May 2024, which suggests that the data from the Hawk Eye App was hacked this month.

Cops Wary of Hawk Eye App Data Breach

When The Cyber Express downloaded the “Hawk Eye -Telangana Police” app on Android on May 31, the app remained non-functional after the tester entered the primary details. Surprisingly, the app did not appear when the user tried to download it from the Apple Store. Sources in the Telangana Police have confirmed to The Cyber Express that there was a failure to upgrade the app and the process for updating a patch is an ongoing exercise. Police sources in the Telangana IT wing shared that they were working with vendors to install an updated patch. This, the police officials shared, could be a reason for the app details being breached. Additional Director General of Police (Technical Services) VV Srinivasa Rao of the Telangana Police shared that the task of upgrading Hawk Eye has been given to developers and that it should be available for the latest Android versions shortly. DGP Shikha Goel, who is also the director of the Telangana State Cyber Security Bureau, was unavailable for comment. We update this story as we get more information. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The operators of RedTail cryptominer, which was the biggest cryptominer operation last year, have now started to take advantage of the Palo Alto PAN-OS CVE-2024-3400 vulnerability to target their victims. According to a report by cloud computing company Akamai, the hacker expanded their attack vector to include the Palo Alto PAN-OS vulnerability, though the sophistication and evasive techniques utilized by the RedTail variant are notable in this campaign, they wrote. The evolution of the RedTail cryptominer hints at a direct investment of resources, particularly staffing, infrastructure, and advanced obfuscation techniques. The threat actor’s chain of infection begins with the adoption of CVE-2024-3400 vulnerability and the incorporation of private cryptomining pools into their operation. 

RedTail Cryptominer Leverages Private Cryptomining Pools

According to Akamai, the folks behind the RedTail cryptominer have chosen to use "private cryptomining pools" to have more control over their mining activities, even though it comes with higher operational and financial costs. The tactics used in this campaign closely resemble those used by the Lazarus group, as per the research. One noteworthy aspect of this variant is its use of private cryptomining pools. By using these private pools, the attackers can have better control and security over their operations, just like other popular threat groups. This shift towards private pools suggests a more coordinated and intentional strategy in cryptomining activities, which raises the possibility of involvement by nation-state actors. The goal of combining system and user prompts is to help the assistant refine the text and make it sound more like it was written by a human, while still maintaining the original content's purpose and accuracy.

RedTail Cryptominer: Sneaky and Stealthy

The RedTail cryptominer is no amateur when it comes to flying under the radar and maintaining its grip on compromised systems. It employs clever tactics like anti-research measures and blends the XMRig cryptomining code with extra layers of encryption and logic. This sneaky combination of system and user prompts is designed to enhance the assistant's skills in transforming the text into a more natural and relatable version, all while staying true to the original content's purpose and accuracy. So, let's dive in and uncover the secrets of the RedTail cryptominer! This malware really knows its stuff when it comes to cryptomining. It optimizes its operations to be as efficient and profitable as possible. By using a combination of system and user prompts, the goal is to help the assistant transform the text into something that sounds more human-like while staying true to the original content's purpose and accuracy. In addition to exploiting the PAN-OS CVE-2024-3400 vulnerability, the actors behind RedTail are targeting a variety of other vulnerabilities across different devices and platforms. This encompasses exploits aimed at SSL-VPNs, IoT devices, web applications, and security devices like Ivanti Connect Secure.

How to Use the  Akamai App & API Protector?

Akamai suggests Akamai App&API Protector for additional security features and identifies all Palo Alto devices and patches them to prevent the RedTail cryptominer. The users can also harden their devices for cyberattacks such as web platform attacks, command injections, and local file inclusion.  In addition, instead of merely relying on PAN-OS CVE-2024-3400 vulnerability, the developers of RedTail take advantage of several other vulnerabilities in different platforms and devices. These involve breaches to SSL VPNs, IoT products, web apps, as well as security appliances such as Ivanti Connect Secure.

Noteworthy stories that might have slipped under the radar: Apple WPS can be abused for surveillance, Canadian government wants backdoors, NIST launches AI program.

The post In Other News: Apple WPS Surveillance, Canadian Gov Wants Backdoors, NIST AI Program appeared first on SecurityWeek.

AI has the potential to revolutionize industries and improve lives, but only if we can trust it to operate securely and ethically.

Related: The key to the GenAI revolution

By prioritizing security and responsibility in AI development, we can harness … (more…)

The post GUEST ESSAY: Taking a systematic approach to achieving secured, ethical AI model development first appeared on The Last Watchdog.

The post GUEST ESSAY: Taking a systematic approach to achieving secured, ethical AI model development appeared first on Security Boulevard.

As per recent reports a new social engineering attack attributed to the North Korea-linked Kimsuky hacking group is targeting human rights activists using fake Facebook accounts. This tactic, involving fictitious identities, marks a significant shift from their typical email-based spear-phishing strategies. According to a report by South Korean cybersecurity firm Genians, the attackers pose as […]

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on TuxCare.

The post Alert: Kimsuky Hacking Group Targets Human Rights Activists appeared first on Security Boulevard.

"I write to request that your agencies investigate UnitedHealth Group’s (UHG) negligent cybersecurity practices, which caused substantial harm to consumers, investors, the healthcare industry, and U.S. national security. The company, its senior executives, and board of directors must be held accountable," declared Senator Ron Wyden, Chairman of the Senate Committee on Finance, in a letter to federal regulators on May 30. This urgent plea follows the devastating cyberattack on Change Healthcare, a subsidiary of UHG, raising critical questions about the company's cybersecurity integrity. In a four-page letter, Senator Wyden linked the recent cyberattack on Change Healthcare to the infamous SolarWinds data breach, blaming UHG's leadership for a series of risky decisions that ended in this tragic cyberattack. [caption id="attachment_73457" align="aligncenter" width="1024"] Source: SEC[/caption]

Broader Context of Cyberattack on Change Healthcare

At the heart of the criticism is the appointment of a Chief Information Security Officer (CISO) who had no prior full-time experience in cybersecurity before assuming the role in June 2023. This, according to Wyden, epitomizes the corporate negligence that has placed countless stakeholders at risk. Wyden argues that Martin's appointment exemplifies a broader pattern of poor decision-making by UHG’s senior executives and board of directors, who should be held accountable for the company’s cybersecurity lapses. The comparison to SolarWinds is particularly telling. The SolarWinds incident exposed vulnerabilities in software supply chains, leading to widespread consequences across multiple sectors. Similarly, UHG's data breach, if proven to result from preventable lapses, highlights the critical need for stringent cybersecurity practices in healthcare, an industry that handles sensitive personal and medical data.

The Incident and Initial Reactions

The incident in question involved hackers exploiting a remote access server at Change Healthcare, which lacked multi-factor authentication (MFA). This basic cybersecurity lapse allowed the attackers to gain an initial foothold, leading to a ransomware infection that crippled UHG’s operations. During testimony before the Senate Finance Committee on May 1, 2024, UHG CEO Andrew Witty admitted that the company’s MFA policy was not uniformly implemented across all external servers. Witty's revelations highlighted a broader issue of inadequate cybersecurity defenses at UHG, despite the industry's reliance on MFA as a fundamental safeguard.

Industry Standards and Regulatory Expectations

Wyden’s letter points out that the Federal Trade Commission (FTC) has mandated MFA for financial services companies under the Safeguards Rule and has enforced its use in cases against companies like Drizly and Chegg. These precedents establish MFA as a non-negotiable standard for protecting consumer data. UHG's failure to implement this basic security measure on all its servers is a glaring oversight, suggesting a disconnect between its stated policies and actual practices. Moreover, Wyden highlights the necessity of multiple lines of defense in cybersecurity. The fact that hackers could escalate their access from one compromised server to the entire network indicates a lack of network segmentation and other best practices designed to contain breaches. This deficiency exacerbates the initial failure to secure remote access points.

Consequences and Broader Implications

The implications of UHG’s cybersecurity failures are profound. The immediate aftermath saw significant disruptions, with some of UHG's systems taking weeks to restore. Witty admitted that while cloud-based systems were quickly recovered, many critical services running on UHG's own servers were not engineered for rapid restoration. This lack of resilience in UHG’s infrastructure planning highlights a failure to anticipate and mitigate the risk of ransomware attacks, a known and escalating threat. Wyden’s letter also addresses the financial fallout. UHG has already estimated the breach's cost at over a billion dollars, reflecting the significant economic impact of the cyberattack. This financial burden, coupled with negative media coverage, exposes UHG to substantial political and market risks. The case echoes the SEC’s stance in the SolarWinds case, where cybersecurity practices were deemed crucial for investor decisions. Investors in UHG would similarly consider enhanced cybersecurity practices essential, given the potential for massive breaches to affect stock value and company reputation.

Accountability and Regulatory Action

Senator Wyden calls for the FTC and SEC to investigate UHG’s cybersecurity and technology practices, aiming to determine if any federal laws were violated and to hold senior officials accountable. This push for accountability highlights the role of corporate governance in cybersecurity. The Audit and Finance Committee of UHG’s board, responsible for overseeing cybersecurity risks, is criticized for its apparent failure to fulfill its duties. Wyden suggests that the board's lack of cybersecurity expertise likely contributed to the oversight failures, a critical point in an era where cybersecurity threats are increasingly sophisticated and pervasive.

Malicious actors from Russia, China, Israel, and Iran have been leveraging artificial intelligence to target victims, according to OpenAI's latest report. These threat actors from the aforementioned nations are using AI models in covert influence operations. The report details various adversary tactics ranging from the grammatical manipulations by the "Bad Grammar" network to the advanced strategies employed by the "Doppelganger" threat actor, providing deep insights into these malevolent activities. Through an in-depth analysis of recent developments and disruptions, the AI and Covert Influence Operations Latest Trends report offers invaluable insights into the modern-day tactics employed by threat actors to manipulate narratives and influence public opinion across online platforms.

Threat Actors Employ AI and Covert Influence Operations

These threat actors, hailing from diverse geopolitical regions, including Russia, China, Iran, and a commercial entity based in Israel, have exploited the technology of artificial intelligence, especially generative AI, to create a series of covert influence operations. These operations, meticulously documented and analyzed within the report, exemplify the sophisticated strategies employed by malicious actors to exploit AI technologies for their nefarious agendas, says OpenAI. One of the prominent operations highlighted in the report is "Bad Grammar," a previously undisclosed campaign originating from Russia. Operating primarily on the messaging platform Telegram, Bad Grammar sought to disseminate politically charged content targeting audiences in Ukraine, Moldova, the Baltic States, and the United States. Despite its geographic reach, this operation was characterized by its blatant grammatical errors, reflecting a deliberate attempt to undermine credibility while leveraging AI models for content generation. Similarly, the report sheds light on the activities of "Doppelganger," a persistent threat actor linked to Russia, engaged in disseminating anti-Ukraine propaganda across various online channels. Employing a hybrid approach that combines AI-generated content with traditional formats such as memes sourced from the internet, Doppelganger exemplifies the fusion of old and new tactics in these campaigns.

Influencing Geographical Politics

The report also highlights covert influence campaigns linked to China, Iran, and a commercial group in Israel, in addition to those connected with Russia. These operations, known by names like "Spamouflage" and "STOIC," use various strategies to push their specific agendas. Their activities include promoting pro-China narratives while attacking its detractors, as well as creating content focused on the Gaza conflict and the elections in India. Despite the diverse origins and tactics employed by these threat actors, the report highlights common trends that shed light on the current state of covert influence. One such trend is the pervasive use of AI models to augment productivity and streamline content generation processes. From generating multilingual articles to automating the creation of website tags, AI serves as a force multiplier for malicious entities seeking to manipulate digital discourse. Furthermore, the report goes deeper into the intricate interplay between AI-driven strategies and human error, emphasizing the inherent fallibility of human operators engaged in covert influence operations. Instances of AI-generated content containing threatening signs of automation by state-hackers.

Researchers discovered a new data theft campaign, active since at least 2021, attributed to an advanced persistent threat (APT) actor dubbed "LilacSquid." This campaign, observed by researchers at Cisco Talos, targets a diverse set of industries, including IT organizations in the United States, energy companies in Europe, and pharmaceutical firms in Asia. This broad victimology suggests that LilacSquid is agnostic to industry verticals, aiming to steal data from various sectors.

Use of Open-Source Tools and Customized Malware

The campaign from LilacSquid employs MeshAgent, an open-source remote management tool and a customized version of QuasarRAT that researchers refer as "PurpleInk," as primary implants after compromising vulnerable application servers exposed to the internet. LilacSquid exploits public-facing application server vulnerabilities and compromised remote desktop protocol (RDP) credentials to deploy a range of open-source tools and customized malware, including MeshAgent, SSF, PurpleInk, and loaders InkBox and InkLoader.

LilacSquid's Long-Term Access for Data Theft through Persistence

Talos assessed with high confidence that LilacSquid has been active since at least 2021, focusing on establishing long-term access to compromised organizations to siphon valuable data to attacker-controlled servers. The campaign has successfully compromised entities in Asia, Europe, and the United States across various sectors such as pharmaceuticals, oil and gas, and technology. LilacSquid uses two primary infection chains: exploiting vulnerable web applications and using compromised RDP credentials. [caption id="attachment_73284" align="aligncenter" width="1024"] LilacSquid Initial Access and Activity. (Credit: Cisco Talos)[/caption] Once a system is compromised through exploiting vulnerabilities on internet facing devices, LilacSquid deploys multiple access tools, including MeshAgent, SSF, InkLoader, and PurpleInk. [caption id="attachment_73286" align="aligncenter" width="1024"] LilacSquid's Lateral Movement via RDP. (Credit: Cisco Talos)[/caption] MeshAgent, downloaded using bitsadmin utility, connects to its command and control (C2) server, conducts reconnaissance, and activates other implants. On the other hand InkLoader, a .NET-based malware loader, is used when RDP credentials are compromised. It persists across reboots and executes PurpleInk, with the infection chain tailored for remote desktop sessions.

PurpleInk Implant of LilacSquid

PurpleInk, derived from QuasarRAT, has been customized extensively since 2021.

"Although QuasarRAT has been available to threat actors since at least 2014, we observed PurpleInk being actively developed starting in 2021 and continuing to evolve its functionalities separate from its parent malware family."

It features robust remote access capabilities, including process enumeration, file manipulation, system information gathering, remote shell access, and proxy server communication. Different variants of PurpleInk exhibit varying functionalities, with some stripped-down versions retaining core capabilities to evade detection. InkBox, an older loader used by LilacSquid, reads from a hardcoded file path on disk, decrypts its contents, and runs PurpleInk. Since 2023, LilacSquid has modularized the infection chain, with PurpleInk running as a separate process via InkLoader. [caption id="attachment_73282" align="aligncenter" width="1024"] PurpleInk Activation Chain (Credit: Cisco Talos)[/caption] Post-exploitation, MeshAgent activates other tools like SSF and PurpleInk. MeshAgent, configured with MSH files, allows operators to control infected devices extensively, managing files, viewing and controlling desktops, and gathering device information.

Parallels with North Korean APT Groups

The tactics, techniques, and procedures (TTPs) used in this campaign show similarities to those of North Korean APT groups, such as Andariel and Lazarus. Andariel is known for using MeshAgent to maintain post-compromise access, while Lazarus extensively employs SOCKs proxy and tunneling tools, along with custom malware, to create channels for secondary access and data exfiltration. LilacSquid has similarly deployed SSF and other malware to establish tunnels to their remote servers. The LilacSquid campaign highlights the persistent and evolving threat posed by sophisticated APT actors. By leveraging a combination of open-source tools and customized malware, LilacSquid successfully infiltrates and maintains long-term access to diverse organizations worldwide. IoCs to detect LilacSquid's PurpleInk infection:

PurpleInk: 2eb9c6722139e821c2fe8314b356880be70f3d19d8d2ba530adc9f466ffc67d8

Network IOCs 

67[.]213[.]221[.]6 192[.]145[.]127[.]190 45[.]9[.]251[.]14 199[.]229[.]250[.]142

The NoName ransomware group has claimed responsibility for a series of cyberattacks targeting key institutions in Spain and Germany. The group’s latest alleged victims include the Royal Household of Spain, Corts Valencianes, and the Government of the Principality of Asturias, as well as German entities such as Energie Baden-Württemberg AG, Leistritz AG, and Aareal Bank AG. In a message posted on a dark web forum, NoName declared, "We continue attack on the Spanish internet infrastructure and destroy the state websites of Russophobic authorities." [caption id="attachment_73295" align="aligncenter" width="528"] Source: X[/caption] [caption id="attachment_73296" align="aligncenter" width="530"] Source: X[/caption] Similarly, they stated regarding Germany, "We continue to punish Germany and destroy several websites of this Russophobic country." These statements underscore the group’s purported motive of targeting entities they deem as "Russophobic." [caption id="attachment_73298" align="aligncenter" width="527"] Source: X[/caption] [caption id="attachment_73297" align="aligncenter" width="522"] Source: X[/caption] Despite these bold claims, the NoName group has not provided concrete evidence or detailed context regarding the nature and impact of these alleged cyberattacks. The Cyber Express team attempted to verify these claims by reaching out to the allegedly implicated organizations. As of the writing of this report, no responses have been received from the officials of the alleged target companies, leaving the claims unverified. Upon accessing the official websites of the listed Spanish and German companies, no disruptions or signs of cyberattack were observed, as the websites were fully functional. This raises questions about the veracity of NoName's claims and the potential for misinformation as a tactic in their cyber operations.

Historical Context of NoName Ransomware Cyber Activities

This isn’t the first instance of NoName targeting prominent organizations. In April 2024, the group allegedly launched a cyberattack on Moldova, affecting key government websites such as the Presidency, Ministry of Foreign Affairs, Ministry of Internal Affairs, and the State Registry. These websites were rendered inaccessible, displaying the message, “This Site Can’t be Reached.” The attack hinted at a politically motivated agenda, though NoName did not explicitly disclose their motives. In March 2024, NoName targeted multiple websites in Denmark, including significant entities like Movia, Din Offentlige Transport, the Ministry of Transport, Copenhagen Airports, and Danish Shipping. Similarly, in January 2024, the group attacked high-profile websites in the Netherlands, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), and GVB. More recently, NoName’s cyber onslaught on Finland raised further alarms. Finnish government organizations, including Traficom, the National Cyber Security Centre Finland (NCSC-FI), The Railways, and the Agency for Regulation and Development of Transport and Communications Infrastructure, faced temporary inaccessibility due to DDoS attacks.

Implications and the Need for Vigilance

The sophistication and scale of NoName ransomware operations, combined with their apparent political motives, highlight the urgent need for enhanced cybersecurity measures and international cooperation. The rising frequency of cyberattacks targeting governmental institutions across Europe demands a coordinated response from both national and international cybersecurity agencies. If NoName's recent claims about targeting Spain and Germany are proven true, the implications could be far-reaching. Cyberattacks on such critical institutions could disrupt governmental functions, compromise sensitive data, and undermine public trust. However, any definitive conclusions must await official statements from the allegedly targeted companies in Spain and Germany. The alleged ongoing cyberattacks by NoName ransomware serve as a reminder of the persistent and evolving threat landscape. As the investigation continues, the cybersecurity community must remain vigilant and proactive in protecting digital infrastructure from such malicious actors. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

CL0P ransomware group has claimed to have added Cooperativa de Crédito y Vivienda Unicred Limitada to their growing list of victims. The group alleges they have exfiltrated various sensitive financial documents, including invoices and forms, from Unicred cyberattack. The CL0P ransomware group, known for its high-profile cyberattacks, has detailed basic information about Unicred on their leak site, including links to the cooperative's official website. Unicred, founded in 1989 by a consortium of experienced businessmen and financial professionals, specializes in various financing instruments, such as the assignment of deferred payment checks, invoice credits, electronic invoices, and work certificates. The cooperative, with a reported revenue of $15.3 million, has built a reputation for its expertise in credit administration. [caption id="attachment_73263" align="aligncenter" width="678"] Source: X[/caption] Despite the serious nature of CL0P's claims, initial investigations show no immediate signs of a cyberattack on Unicred's official website, which remains fully operational. To clarify the situation, The Cyber Express Team reached out to Unicred's officials. However, at the time of writing, no response has been received, leaving the ransomware group's assertions unverified. [caption id="attachment_73265" align="aligncenter" width="819"] Source: X[/caption] [caption id="attachment_73266" align="aligncenter" width="793"] Source: X[/caption]

Potential Impact of the Alleged Unicred Cyberattack

Should the CL0P ransomware group's claim of a Unicred cyberattack be validated, the repercussions could be substantial for both Unicred and its customers. Ransomware attacks typically involve not only the exfiltration of sensitive data but also the potential for that data to be publicly released or sold, leading to severe privacy breaches and financial loss. Given Unicred's role in handling significant financial transactions and sensitive customer information, a confirmed Unicred cyberattack could undermine customer trust, disrupt business operations, and result in regulatory scrutiny and potential fines. The exposure of financial documents and personal data could also lead to identity theft and financial fraud, posing a serious threat to the affected individuals.

CL0P Ransomware Notorious Track Record

The CL0P ransomware group has a well-documented history of targeting high-profile organizations. Earlier this month, the group listed three new victims on its leak site: McKinley Packing, Pilot, and Pinnacle Engineering Group. In January 2024, CL0P claimed responsibility for compromising S&A Law Offices, a prominent India-based firm specializing in litigation services and intellectual property rights. The cybercriminals posted sensitive employee details, including phone numbers, addresses, vehicle numbers, PAN card details, internal communications, and other personally identifiable information (PII) as proof of the breach. In 2023, the CL0P group was behind a series of significant data breaches exploiting the MOVEit vulnerability. This widespread campaign led the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) to issue a joint cybersecurity advisory. The advisory disseminated Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with CL0P's operations, emphasizing the group's threat to organizations across various sectors.

Conclusion

The alleged cyberattack on Cooperativa de Crédito y Vivienda Unicred Limitada by the CL0P ransomware group highlights the ongoing and evolving threat landscape in the digital age. While the claims remain unverified, the potential impact on Unicred and its customers is a reminder of the importance of cybersecurity vigilance. As CL0P continues to target high-profile entities, organizations must prioritize cybersecurity to protect their data, maintain customer trust, and ensure business continuity. As this situation develops, further verification and responses from Unicred will be crucial in determining the full extent of the impact and the measures needed to address it. Meanwhile, the cybersecurity community must remain vigilant and proactive in countering the ever-present threat of ransomware attacks. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The notorious Russian hacktivist collective UserSec is actively seeking specialists to join its ranks, signaling a new recruitment drive within the hacking community. The group, known for its anti-NATO stance and pro-Russian sentiments, recently posted a UserSec recruitment drive plan on Telegram channels, emphasizing the need for individuals skilled in multiple hacking techniques and virus handling. In addition to traditional hacking roles, UserSec is also launching a specialized training program focused on website defacement techniques. This initiative includes updated materials, new tools, and bonus resources for recruits. The group aims to expand its capabilities and bolster its operations through this recruitment effort.

UserSec Recruitment Drive for Hackers

[caption id="attachment_73253" align="alignnone" width="972"] Source: Dark Web[/caption] The UserSec recruitment drive plan comes amidst ongoing tensions between Russia and NATO, with UserSec previously declaring a cyber campaign targeting NATO member states. Notably, the group has collaborated with other pro-Russian hacking groups, such as KillNet, to orchestrate coordinated attacks against NATO. Talking about the recruitment plan, the threat actor stated they are “looking for promising specialists” to join their teams, including individuals who are interested in pen testing, social engineering, reverse engineers, and “people who know how to work with viruses”. UserSec, a pro-Russian hacking group active since at least 2022, has gained notoriety for its Distributed Denial of Service (DDoS) attacks and collaboration with other like-minded groups. In May 2023, UserSec made headlines by declaring a cyber campaign aimed at NATO member states, forming an alliance with KillNet to carry out coordinated attacks.

UserSec’s Plans for Unified Collaborative Environment 

The recent recruitment drive highlights UserSec's plan to create a unified environment for hackers. By seeking specialists in various hacking techniques and offering training in website defacement, UserSec aims to attract individuals who can contribute to its objectives of disrupting adversaries and advancing its pro-Russian agenda. The collaboration between UserSec and KillNet further highlights a concerning trend in cyber warfare, where hacking groups align themselves to target politically significant entities. By leveraging Distributed Denial of Service (DDoS) attacks, UserSec demonstrates its disruptive capabilities and willingness to engage in cyber warfare for geopolitical purposes. The targeting of NATO member states raises questions about the potential implications for international security, emphasizing the urgent need for enhanced cybersecurity measures. As hacking groups continue to evolve and collaborate to launch large-scale attacks, governments and organizations must prioritize cybersecurity to mitigate the threat posed by groups like UserSec. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

A 25-year-old man from Kawasaki, Japan was arrested this week for allegedly using generative AI tools to create ransomware in an AI jailbreaking case that may be the first of its kind in Japan. The arrest of Ryuki Hayashi, widely reported in Japan, is the latest example of an attacker defeating AI guardrails, which has become something of an obsession for hackers and cybersecurity researchers alike. Just this week, researchers from Germany’s CISPA Helmholtz Center for Information Security reported on their efforts to jailbreak GPT-4o, the latest multimodal large language model (MLLM) released by OpenAI a little more than two weeks ago. Concerns raised by those researchers and others led OpenAI to establish a safety and security committee this week to try to address AI risks.

AI Jailbreak Tools and Methods Unclear

News reports on Hayashi’s arrest have been lacking in details on the tools and methods he used to create the ransomware. The Japan Times reported that Hayashi, a former factory worker, “is not an expert on malware. He allegedly learned online how to ask AI tools questions that would elicit information on how to create malware.” Hayashi came under suspicion after police arrested him in March “for allegedly using fake identification to obtain a SIM card registered under someone else's name,” the paper reported. The Japan News, which reported that Hayashi is unemployed, said police found “a homemade virus on a computer” following the March arrest. The News said police suspect he “used his home computer and smartphone to combine information about creating malware programs obtained after giving instructions to several generative AI systems in March last year.” Hayashi “allegedly gave instructions to the AI systems while concealing his purpose of creating the virus to obtain design information necessary for encrypting files and demanding ransom,” the News reported. “He is said to have searched online for ways to illegally obtain information.” Hayashi reportedly admitted to charges during questioning, and told police, “I wanted to make money through ransomware. I thought I could do anything if I asked AI.” There have been no reports of damage from the ransomware he created, the News said.

LLM Jailbreak Research Heats Up

The news comes as research on AI jailbreaking and attack techniques has grown, with a number of recent reports on risks and possible solutions. In a paper posted to arXiv this week, the CISPA researchers said they were able to more than double their attack success rate (ASR) on GPT-4o’s voice mode with an attack they dubbed VOICEJAILBREAK, “a novel voice jailbreak attack that humanizes GPT-4o and attempts to persuade it through fictional storytelling (setting, character, and plot).” Another arXiv paper, posted in February by researchers at the University of California at Berkeley, looked at a range of risks associated with GenAI tools such as Microsoft Copilot and ChatGPT, along with possible solutions, such as development of an “AI firewall” to monitor and change LLM inputs and outputs if necessary. And earlier this month, OT and IoT security company SCADAfence outlined a wide range of AI tools, threat actors and attack techniques. In addition to general use case chatbots like ChatGPT and Google Gemini, the report looked at “dark LLMs” created for malicious purposes, such as WormGPT, FraudGPT, DarkBERT and DarkBART. SCADAfence recommended that OT and SCADA organizations follow best practices such as limiting network exposure for control systems, patching, access control and up to date offline backups. GenAI uses and misuses is also expected to be the topic of a number of presentations at Gartner’s Security and Risk Management Summit next week in National Harbor, Maryland, just outside the U.S. capital.

Toshiba America Business Solutions reached out to customers to inform them of a potential data security incident in which their personal information may have been compromised. Toshiba America Business Solutions is an American subsidiary of the Toshiba TEC Corporation. The company said that it was committed to protecting the confidentiality and security of personal data, and offered credit monitoring services to affected individuals.

Toshiba America Data Breach

After conducting a preliminary investigation, Toshiba reported that an attacker may have compromised its email environment. The attacker may have obtained unauthorized access to sensitive personally identifiable information such as names and Social Security numbers from the email compromise. The investigation confirmed that the breach could have impacted numerous individuals, leading Toshiba to contact affected individuals, as legally required. Toshiba America Business Solutions advised customers to remain cautious over the incident. The firm advised customers to regularly review their credit reports, financial account statements, and payment card statements for any unauthorized activity. Any suspicious activity could be reported to Toshiba or law enforcement agencies. Toshiba apologized to the affected individuals for any inconvenience stemming from the incident and said that additional measures had been implemented since then to enhance the security of its email environment and prevent similar occurrences in the future. To assist the affected individuals in safeguarding their personal information, Toshiba has arranged for a complimentary, two-year membership of identity monitoring services offered through Kroll. This membership offering includes triple bureau credit monitoring, fraud consultation, and identity theft restoration. The fraud consultation option allows affected individuals  to reach out to Kroll fraud specialists for advice and assistance relating to identity protection, legal rights, and detection of suspicious activity. The identity theft restoration option lets affected individuals work with a licensed Kroll investigator to resolve potential identity theft issues. Toshiba stated that these services would be provided for free to the affected individuals and would not negatively impact their credit scores. Affected individuals were encouraged to use the services as well as to contact Toshiba or Kroll for additional assistance.

Law Firm Announces Investigation

Strauss Borrelli PLLC, a data breach law firm, announced on its website that it would be investigating Toshiba American Business Solutions, Inc. with regard to the recent data breach that exposed sensitive personally identifiable information. While the full extent of the data breach is unknown, the Toshiba America Business Solutions division operates offices across the U.S. and Latin America. The law firm encouraged customers who received a breach notification letter from Toshiba American Business Solutions to contact Strauss Borrelli PLLC to discuss their rights and potential legal remedies in response to the incident. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

In one of the largest mass bricking events in history, at least 600,000 routers belonging to subscribers of the same ISP service were essentially destroyed last October. The incident has been dubbed "Pumpkin Eclipse," with researchers still unclear on how the routers became infected. The affected devices displayed a steady red light and were unresponsive to troubleshooting attempts, and had to be replaced. Now new research is shedding light on the attack, which involved unusually sophisticated and stealthy attack methods.

'Pumpkin Eclipse' Router Attack

The attack began on October 25, 2023, as the ISP's subscribers began reporting their ActionTec T3200 and Sagemcom routers had suddenly stopped working. Users described the devices as unresponsive, with a steady red light on the front panel. Many blamed the ISP for the mass "bricking" of the routers, alleging the company had pushed faulty firmware updates. However, according to new research by Black Lotus Labs, the incident was in fact the result of a deliberate, malicious act. The researchers reported that over a 72-hour period, a malware known as "Chalubo" had infected over 600,000 routers connected to a single autonomous system number (ASN) belonging to an unnamed ISP. While the researchers avoided naming the ISP affected in the attack, the description of the attack matches frustrations expressed months ago by subscribers of the Windstream ISP, such as the router affected and its resulting behavior. The Chalubo malware, a commodity remote access trojan (RAT) first identified in 2018, employed sophisticated tactics to cover its tracks. It removed all files from the infected devices' disks, ran entirely in memory, and assumed random process names already present on the routers. The researchers believe the malware downloaded and ran code that permanently overwrote the router's default device firmware, rendering them permanently inoperable. The researchers state that while the motives behind the attack are unknown, its implications are troubling.

Researchers Unsure Over Initial Attack Vector but Theorize Possibilities

Although the researchers identified the malware's multi-chain attack process and its spread across the ISP's network, they have been unable to determine the initial infection vector employed by the threat actor. They theorize that it could have possibly resulted from the exploit of an inherent vulnerability, exploit of weak credentials, or compromise of the routers' administrative panels. The researchers said the attack is highly concerning, as it represents a new precedent for malware capable of mass-bricking consumer networking devices. The researchers could only recall one prior similar event - the 2022 discovery of the AcidRain malware, which knocked out over 10,000 satellite internet modems in Ukraine and Europe during the start of the Russian invasion. The researchers said the impact of "Pumpkin Eclipse" attack was particularly severe, as the affected ISP's service area covers many rural and underserved communities. Residents may have lost access to emergency services, farmers could have been cut off from remote crop monitoring, and healthcare providers may have been unable to access patient records or provide telehealth services. "At this time, we do not assess this to be the work of a nation-state or state-sponsored entity," the Lumen researchers wrote. In fact, we have not observed any overlap with known destructive activity clusters; particularly those prone to destructive events such as Volt Typhoon, or SeaShell Blizzard. Nonetheless, they speculated that usage of a commodity malware family may have been a deliberate move to obscure the perpetrator's potential identity. Recovery from such a supply chain disruption is always more challenging in isolated or vulnerable regions, the researchers added. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

What we know so far: A Ticketmaster AWS instance was penetrated by unknown perpetrators; “ShinyHunters” is selling stolen data on their behalf. Don’t forget to add the hidden 5% fee to the ransom.

The post Ticketmaster Hack Ticks Off 560M Customers in 1.3TB Breach appeared first on Security Boulevard.

The group behind the RedTail malware is exploiting a new vulnerability in Palo Alto Network's PAN-OS software to run a sophisticated cryptomining campaign that is likely backed by North Korea.

The post RedTail Malware Abuses Palo Alto Flaw in Latest Cryptomining Campaign appeared first on Security Boulevard.

We are in an age when cybercriminals routinely steal credentials, and with so few organizations limiting privileges cloud security issues are rife.

The post Analysis Uncovers Raft of Identity Issues in the Cloud appeared first on Security Boulevard.

Strata’s Maverics Identity Orchestration Platform recognized as Best Authentication and Identity Solution BOULDER, Colo., May 30, 2024 — Strata Identity, the Identity Orchestration company, today announced its Maverics Identity Orchestration Platform received the prestigious 2024 Fortress Cybersecurity Award in the Authentication and Identity category. Strata’s Maverics implements an abstraction layer that bridges siloed and incompatible...

The post Strata Identity Wins 2024 Fortress Cybersecurity Award from Business Intelligence Group appeared first on Strata.io.

The post Strata Identity Wins 2024 Fortress Cybersecurity Award from Business Intelligence Group appeared first on Security Boulevard.

Scammers love to bank on the good name of legitimate companies to gain the trust of their intended targets. Recently, it came to our attention that a cybercriminal is using fake websites for security products to spread malware. One of those websites was impersonating the Malwarebytes brand.

The download from the fake website was an information stealer with a filename that resembled that of the actual Malwarebytes installer.

Besides some common system information, this stealer goes after:

• Account tokens
• Steam tokens
• Saved card details
• System profiles
• Telegram logins
• List of running process names
• Installed browser lists and their version
• Credentials from the browser “User Data” folder, Local DB an autofill
• Cookies from the browser
• List of folders on the C drive

This is just one scam, but there are always others using our name to target people. We regularly see tech support scammers pretending to be Malwarebytes to defraud their victims.

Some scammers sell—sometimes illegal—copies of Malwarebytes for prices that are boldly exaggerated.

Others will try and phish you by sending you a confirmation mail of your subscription to Malwarebytes.

And sometimes when you search for Malwarebytes you will find imposters in between legitimate re-sellers. Some even use our logo.

In this case, Google warned us that there was danger up ahead.

The site itself was not as convincing as the advert, and some poking around in the source code told us the website was likely built by a Russian speaking individual.

How to avoid brand scams

It’s easy to see how people can fall for fake brand notices. Here are some things that can help you avoid scams that use our name:

• Download software directly from our sites if you are not sure of the legitimacy of the ones offered to you.
• Check that any emails that appear to come from Malwarebytes are sent from a malwarebytes.com address.
• If you have any questions or doubts as to the legitimacy of something, you can contact our Support team.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Law enforcement agencies in the United States and Europe today announced Operation Endgame, a coordinated action against some of the most popular cybercrime platforms for delivering ransomware and data-stealing malware. Dubbed “the largest ever operation against botnets,” the international effort is being billed as the opening salvo in an ongoing campaign targeting advanced malware “droppers” or “loaders” like IcedID, Smokeloader and Trickbot.

Operation Endgame targets the cybercrime ecosystem supporting droppers/loaders, slang terms used to describe tiny, custom-made programs designed to surreptitiously install malware onto a target system. Droppers are typically used in the initial stages of a breach, and they allow cybercriminals to bypass security measures and deploy additional harmful programs, including viruses, ransomware, or spyware.

Droppers like IcedID are most often deployed through email attachments, hacked websites, or bundled with legitimate software. For example, cybercriminals have long used paid ads on Google to trick people into installing malware disguised as popular free software, such as Microsoft Teams, Adobe Reader and Discord. In those cases, the dropper is the hidden component bundled with the legitimate software that quietly loads malware onto the user’s system.

Droppers remain such a critical, human-intensive component of nearly all major cybercrime enterprises that the most popular have turned into full-fledged cybercrime services of their own. By targeting the individuals who develop and maintain dropper services and their supporting infrastructure, authorities are hoping to disrupt multiple cybercriminal operations simultaneously.

According to a statement from the European police agency Europol, between May 27 and May 29, 2024 authorities arrested four suspects (one in Armenia and three in Ukraine), and disrupted or took down more than 100 Internet servers in Bulgaria, Canada, Germany, Lithuania, the Netherlands, Romania, Switzerland, the United Kingdom, United States and Ukraine. Authorities say they also seized more than 2,000 domain names that supported dropper infrastructure online.

In addition, Europol released information on eight fugitives suspected of involvement in dropper services and who are wanted by Germany; their names and photos were added to Europol’s “Most Wanted” list on 30 May 2024.

“It has been discovered through the investigations so far that one of the main suspects has earned at least EUR 69 million in cryptocurrency by renting out criminal infrastructure sites to deploy ransomware,” Europol wrote. “The suspect’s transactions are constantly being monitored and legal permission to seize these assets upon future actions has already been obtained.”

There have been numerous such coordinated malware takedown efforts in the past, and yet often the substantial amount of coordination required between law enforcement agencies and cybersecurity firms involved is not sustained after the initial disruption and/or arrests.

But a new website erected to detail today’s action — operation-endgame.com — makes the case that this time is different, and that more takedowns and arrests are coming. “Operation Endgame does not end today,” the site promises. “New actions will be announced on this website.”

Perhaps in recognition that many of today’s top cybercriminals reside in countries that are effectively beyond the reach of international law enforcement, actions like Operation Endgame seem increasingly focused on mind games — i.e., trolling the hackers.

Writing in this month’s issue of Wired, Matt Burgess makes the case that Western law enforcement officials have turned to psychological measures as an added way to slow down Russian hackers and cut to the heart of the sweeping cybercrime ecosystem.

“These nascent psyops include efforts to erode the limited trust the criminals have in each other, driving subtle wedges between fragile hacker egos, and sending offenders personalized messages showing they’re being watched,” Burgess wrote.

When authorities in the U.S. and U.K. announced in February 2024 that they’d infiltrated and seized the infrastructure used by the infamous LockBit ransomware gang, they borrowed the existing design of LockBit’s victim shaming website to link instead to press releases about the takedown, and included a countdown timer that was eventually replaced with the personal details of LockBit’s alleged leader.

The Operation Endgame website also includes a countdown timer, which serves to tease the release of several animated videos that mimic the same sort of flashy, short advertisements that established cybercriminals often produce to promote their services online. At least two of the videos include a substantial amount of text written in Russian.

The coordinated takedown comes on the heels of another law enforcement action this week against what the director of the FBI called “likely the world’s largest botnet ever.” On Wednesday U.S. Department of Justice (DOJ) announced the arrest of YunHe Wang, the alleged operator of the ten-year-old online anonymity service 911 S5. The government also seized 911 S5’s domains and online infrastructure, which allegedly turned computers running various “free VPN” products into Internet traffic relays that facilitated billions of dollars in online fraud and cybercrime.

Seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted or infected with NSO Group’s proprietary Pegasus spyware. A joint investigation by Citizen Lab and Access Now detailed incidents from August 2020 to January 2023 and concluded that a single NSO Group customer might be responsible for at least five of these cases.

Threats Against Critics of Russian and Belarusian Regimes

In September 2023, Citizen Lab and Access Now reported the hacking of exiled Russian journalist Galina Timchenko, CEO and publisher of Meduza, with Pegasus spyware. Building on these findings, the investigation, in collaboration with digital security expert Nikolai Kvantiliani, now reveals the targeting of seven additional Russian and Belarusian-speaking civil society members and journalists. Many of these individuals, living in exile, have vocally criticized the Russian government, including its invasion of Ukraine, and have faced severe threats from Russian and Belarusian state security services. Critics of the Russian and Belarusian governments typically face intense retaliation, including surveillance, detention, violence, and hacking. The repression has escalated following Russia’s 2022 invasion of Ukraine, with laws severely curtailing the operations of media and civil society organizations. An example of this is the Russian government designating the Munk School of Global Affairs & Public Policy at the University of Toronto, home to the Citizen Lab, as an “Undesirable Organization,” in March 2024. Many opposition activists and independent media groups have relocated abroad to continue their work. Despite the geographic distance, these exiled communities face ongoing threats, including violent attacks, surveillance, and digital risks. For instance, Meduza reported a significant Distributed Denial of Service (DDoS) attack on their website during Russia’s 2024 presidential elections.

Investigation Confirmed Pegasus Spyware Targeting

The investigation confirmed that the following individuals were targeted or infected with Pegasus spyware. Their names are published with their consent. [caption id="attachment_73182" align="aligncenter" width="1532"] Table Showing Individuals Identified in the Latest Pegasus Spyware Infections (Credit: Citizen Lab)[/caption] Access Now and Citizen Lab confirmed that five victims' phones had Apple IDs used by Pegasus operators in hacking attempts. Exploits leveraging bugs in HomeKit can leave the attacker's Apple ID email address on the victim's device. Citizen Lab believes each Apple ID is tied to a single Pegasus operator, although one operator may use multiple IDs. The same Apple ID was found on the phones of Pavlov, Radzina, and a second anonymous victim. A different email account targeted both Erlikh and Pavlov’s phones on November 28, 2022. Artifacts from Andrei Sannikov and Natallia Radzina’s phones contained another identical email. This indicates that a single Pegasus spyware operator may have targeted at least three of the victims, possibly all five. [caption id="attachment_73184" align="aligncenter" width="1024"] Credit: Citizen Lab[/caption] The investigators could not attribute the attacks to a specific operator but certain trends pointed to Estonia’s involvement. Based on previous investigation, Poland, Russia, Belarus, Lithuania, and Latvia are all known to be customers of the NSO Group’s spyware, but the likeliness of their involvement is low as they do not target victims outside their borders, the investigators said. Estonia, however, is known to use Pegasus extensively beyond its borders, including in multiple European countries.

Concerns Over Digital Transnational Repression

This pattern of targeting raises serious concerns about the legality and proportionality of such actions under international human rights law. The attacks occurred in Europe, where the targeted individuals sought safety, prompting questions about host states’ obligations to prevent and respond to these human rights violations. The ongoing investigation highlights the persistent threats faced by exiled Russian and Belarusian journalists and activists. As digital transnational repression continues, it underscores the urgent need for robust international measures to protect freedom of expression and privacy for these vulnerable groups.

“Access Now [urged] governments to establish an immediate moratorium on the export, sale, transfer, servicing, and use of targeted digital surveillance technologies until rigorous human rights safeguards are put in place to regulate such practices, and to ban the use of spyware technologies such as Pegasus that have a history of enabling human rights abuses.”

Apple recently issued notifications to users in more than 90 countries alerting them of possible mercenary spyware attacks. The tech giant replaced the term "state-sponsored" in its alerts with "mercenary spyware attacks," drawing global attention. Previously, Apple used "state-sponsored" for malware threats, but now it highlights threats from hacker groups. Apple noted that while these attacks were historically linked to state actors and private entities like the NSO Group’s Pegasus, the new term covers a broader range of threats.

Internet Archive, one of the oldest online directories of websites, movies, books, software and more, is facing a cyberattack that has disrupted its services for over three days. The Internet Archive cyberattack, identified as a distributed denial-of-service (DDoS) assault, has besieged the service and inundated its servers with repeated requests. While the organization is reassuring users that its collections remain secure, the accessibility of its Wayback Machine, a tool allowing users to explore historical web pages, has been compromised.

Internet Archive Cyberattack Targets Multiple Systems

According to a blog post shared by Internet Archive on May 28, intermittent service disruptions have been reported over the past few days, confirmed by updates shared by Archive officials on social media platforms. Despite efforts to mitigate the attack, the exact source remains undisclosed. In response to the DDoS attack, Brewster Kahle, the founder and digital librarian of the Internet Archive, expressed gratitude for the outpouring of support while reaffirming the organization's commitment to fortify its defenses. Kahle characterized the attack as "sustained, impactful, targeted, adaptive, and importantly, mean" in the blog post.

Mitigation Against the Internet Archive DDoS Attack

The Internet Archive serves as a valuable resource for users seeking access to a diverse range of media content, both historical and contemporary, free of charge. However, its mission to democratize access to knowledge has encountered legal challenges, with the organization facing lawsuits from the U.S. book publishing and recording industry associations in the last year. The legal actions alleged copyright infringement and sought significant damages, casting a shadow over the future operations of libraries worldwide. The cyberattack on the Internet Archive echoes a troubling trend of attacks targeting libraries and knowledge institutions globally. Recent victims include the British Library, the Solano County Public Library in California, the Berlin Natural History Museum, Ontario’s London Public Library, and just this week, the Seattle Public Library. In light of the ongoing cyberattack and legal battles, Kahle emphasized the broader implications for libraries everywhere. He warned that the actions of publishing and recording industries threaten to undermine the very existence of libraries, posing a grave concern for patrons worldwide. This is an ongoing story and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on the Internet Archive cyberattack or any further communication from the organization. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Pharmaceutical giant Johnson & Johnson recently announced a data breach that may stem from a larger data breach affecting Lash Group, a division of Cencora. In February, Cencora reported a data breach incident to the U.S. Securities and Exchange Commission (SEC) after learning that data had been exfiltrated from its information systems, some of which contained personal information. The breach may have compromised some sensitive information of patients registered with Johnson & Johnson Patient Assistance Foundation, Inc.

Johnson & Johnson Data Breach Notice

On May 29, Johnson & Johnson filed a notice of data breach with the Attorney General of Texas, indicating that an unauthorized party accessed confidential patient information. The breach affected approximately 175,000 Texans, but the total number of victims nationwide could be much higher. The breach affects two Johnson & Johnson entities: Johnson & Johnson Patient Assistance Foundation, Inc., and Johnson & Johnson Services, Inc. The following data was compromised in the attack: Name of individual, Address, Medical Information, and Date of Birth. Data breach notification letters have been sent to all the affected individuals, while limited information is available on the Texas Attorney General's data breach reports page. The incident is potentially linked to a much larger breach involving Cencora, which has affected over a dozen major pharmaceutical companies so far.

Link to Cencora Data Breach

The Johnson & Johnson data breach bears several similarities to other large third-party pharmaceutical company data breaches affected by the Cencora/Lash Group data breach, which was first discovered on February 21. Cencora’s Lash Group division aids pharmaceutical companies in running patient support programs that try to ensure that costly medication is available to disadvantaged patients, regardless of their ability to pay for them. At least 15 clients of Cencora/Lash Group have notified state authorities of data breach incidents, with databreaches.net listing the following victims:

• AbbVie: 54,344 Texans affected
• Acadia Pharmaceuticals: 753 Texans affected
• Bayer: 8,822 Texans affected
• Bristol Myers Squibb and/or the Bristol Myers Squibb Patient Assistance Foundation: 256,237 Texans and 11,503 New Hampshire residents affected
• Dendreon: 2,923 Texans affected
• Endo: no numbers provided
• Genentech: 5,805 Texans affected
• GlaxoSmithKline Group of Companies and/or the GlaxoSmithKline Patient Access Programs Foundation: no numbers provided
• Incyte Corporation: 2,592 Texans affected
• Marathon Pharmaceuticals, LLC/PTC Therapeutics, Inc.: 466 Texans and 27 New Hampshire residents affected
• Novartis Pharmaceuticals: 12,134 Texans affected
• Pharming Healthcare, Inc.: 314 Texans and 9 New Hampshire residents affected
• Regeneron Pharmaceuticals: 91,514 Texans affected
• Sumitomo Pharma America, Inc.: 24,102 Texans affected
• Tolmar: 1 New Hampshire resident

Data breach notices have also been filed with California officials too. While the full extent of the damage has yet to be determined, it has affected over 540,000 patients so far. Cencora stated in its notification to the Securities and Exchange Commission that it had not yet been able to determine if the incident had a material impact on its operations. In in a notice on its website, the Leash Group indicated that personal information as well as personal health information had been potentially affected, including first name, last name, date of birth, health diagnosis, and/or medications and prescriptions. The Leash Group said in a statement that no personal data appears to have been exposed because of the incident:

“There is no evidence that any of this information has been or will be publicly disclosed, or that any information was or will be misused for fraudulent purposes as a result of this incident, but we are communicating this so that affected individuals can take the steps outlined below to protect yourself.”

The Leash Group is offering free credit monitoring and remediation services to affected individuals, and additional guidance on dealing with suspected breaches of personal information. No perpetrator has been identified or named as being responsible for the attack, and the potential impact of the breach is still being assessed. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

The website of Barcelona tram services, a central component of Spain's transportation network, was reportedly the target of a Distributed Denial-of-Service (DDoS) cyberattack. The TRAM Barcelona cyberattack has been claimed by the pro-Russian hacker group called "NoName," in collaboration with the Cyber Army of Russia. In a post, the group, which claims to be "NoName057(16)", made the announcement which read, "Supporting the attack by our friends from the People's Cyber Army, we are taking down one of Spain's transport websites." Since first emerging in March 2022, the pro-Russian hacker group NoName has been increasingly active, taking responsibility for a series of cyberattacks targeting government agencies, media outlets, and private companies across Ukraine, the United States, and Europe.

Decoding the Tram Barcelona Cyberattack

[caption id="attachment_72970" align="aligncenter" width="530"] Source: X[/caption] TRAM Barcelona, with its origins dating back to 1872, was one of Europe's earlier tram systems. After services were discontinued in 1971, the tram was reintroduced in 2004 with the new Trambaix and Trambesòs lines, which have since become a popular mode of transportation throughout Spain’s Catalonia region. [caption id="attachment_73002" align="alignnone" width="1642"] The hacker group declared the attack on May 29, 2024, and as of the time of this report, the website remains offline.[/caption] The specifics of the cyberattack on Tram Barcelona, including potential data breaches and the attackers' motives, have not been fully disclosed. The hacker group announced the attack on May 29, 2024, and as of this report, the website is still down. The company has not yet acknowledged the incident or issued any official statement about the status of the website and its services. The claimed cyberattack on Tram Barcelona highlights the persistent threat of security incidents on crucial entities, such as banks and government organizations. However, the absence of an official statement raises questions about the severity and credibility of the NoName cyberattack claim.

TRAM Barcelona Cyberattack: Latest in Series of Assaults

This isn’t the first instance of NoName targeting organizations. In January 2024, the group claimed responsibility for a series of cyberattacks across the Netherlands, Ukraine, Finland, and the USA. NoName has previously targeted a range of organizations, including OV-chipkaart, the Municipality of Vlaardingen, the Dutch Tax Office (Belastingdienst), PrivatBank 24, Credit Agricole Bank, MTB BANK, Accordbank, Matek Systems in China, Pixhawk in Switzerland, SpetsInTech, and Kvertus. Incidentally, just like Tram Barcelona, OV-chipkaart too is involved in the public transportation system offering a contactless smart card system widely used in for public transportation in the Netherlands. Until an official statement is released by the affected organization, the full scope and impact of the alleged NoName cyberattack remain unclear. As the cybersecurity landscape continues to evolve, these incidents highlight the importance of bolstering security protocols and adopting proactive measures to mitigate the increasing threat of cyberattacks. This is an ongoing story, and we will provide updates as more information becomes available. Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Source: www.databreachtoday.com – Author: 1 Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development The Office Will Oversee the Implementation of the European Union’s AI Act Akshaya Asokan (asokan_akshaya) • May 29, 2024     The European AI Office will begin operating in June 2024. (Image: Shutterstock) The European AI Office, which is […]

La entrada EU’s New AI Office Is Set to Begin Operating in June – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Critical Infrastructure Security , Governance & Risk Management , Operational Technology (OT) IT and OT Teams Rarely Talk and When They Do, They Rarely Agree On Anything Jayant Chakravarti (@JayJay_Tech) • May 29, 2024     Aerial view of Port Kembla steelworks and factories in New South Wales, Australia (Image: […]

La entrada Australian Industries Need OT-IT Convergence to Beat Attacks – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Cybersecurity Spending , Government , Industry Specific Army Seeking Public Input on $1 Billion Software Modernization Contract Vehicle Chris Riotta (@chrisriotta) • May 29, 2024     The U.S. Army is preparing for a $1 billion software development acquisition vehicle. (Image: Shutterstock) The U.S. Army is laying out a vision […]

La entrada US Army Unveils $1B Modern Software Development Initiative – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Breach Notification , Fraud Management & Cybercrime , Healthcare The Breach Notice Raises the Question of Whether Sav-Rx Paid a Ransom Marianne Kolbasuk McGee (HealthInfoSec) • May 29, 2024     Image: Sav-Rx A Nebraska firm that provides medication benefits management and pharmacy services is notifying more than 2.8 million […]

La entrada Rx Benefits Firm Notifying 2.8 Million of Data Theft Hack – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Source: www.databreachtoday.com – Author: 1 Governance & Risk Management , Password & Credential Management Presented by Duo     45 minutes     Passwords are inherently easy for adversaries to subvert. Due to password fatigue, users often choose weak passwords. They also often reuse or only slightly modify old passwords for different accounts. As a […]

La entrada Live Webinar | Passwordless – The Future of Authentication – Source: www.databreachtoday.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

VMware, a leading virtualization technology company, has fixed multiple security vulnerabilities found in VMware Workstation and Fusion products. These flaws, if exploited, could allow attackers to cause a denial of service, obtain sensitive information, and execute arbitrary code. The affected versions are Workstation 17.x and Fusion 13.x, with patches available in versions 17.5.2 and 13.5.2 […]

The post VMware Workstation and Fusion: Critical Security Flaws Fixed appeared first on TuxCare.

The post VMware Workstation and Fusion: Critical Security Flaws Fixed appeared first on Security Boulevard.

From MFA to biometrics, a lot has been done to reinforce user ID and password authentication — for human users.

Related: How weak service accounts factored into SolarWinds hack

By comparison, almost nothing has been done to strengthen service accounts… (more…)

The post RSAC Fireside Chat: Start-up Anetac rolls out a solution to rising ‘service accounts’ exposures first appeared on The Last Watchdog.

The post RSAC Fireside Chat: Start-up Anetac rolls out a solution to rising ‘service accounts’ exposures appeared first on Security Boulevard.

Media reports claim that cybersecurity experts have recently unveiled new details about a remote access trojan (RAT) named Deuterbear, employed by the China-linked hacking group BlackTech. This sophisticated Deuterbear RAT malware is part of a broader cyber espionage operation targeting the Asia-Pacific region throughout the year.   Advancements Over Waterbear Deuterbear exhibits notable advancements over […]

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on TuxCare.

The post Deuterbear RAT: China-Linked Hackers’ Cyber Espionage Tool appeared first on Security Boulevard.